Order-Revealing Encryption:
|
|
- Phyllis Hampton
- 5 years ago
- Views:
Transcription
1 Order-Revealing Encryption: How to Search on Encrypted Data Kevin Lewi and David J. Wu Stanford University
2 Searching on Encrypted Data
3 Searching on Encrypted Data
4 Searching on Encrypted Data
5 Searching on Encrypted Data
6 Searching on Encrypted Data
7 Searching on Encrypted Data
8 Searching on Encrypted Data data breaches have become the norm rather than the exception
9 Why Not Encrypt? because it would have hurt Yahoo s ability to index and search messages to provide new user services ~Jeff Bonforte (Yahoo SVP)
10 client server Order-Revealing Encryption [BLRSZZ 15] secret-key encryption scheme Which is greater: the value encrypted by ct 1 or the value encrypted by ct 2? sk ct 1 = Enc(sk, 123) ct 2 = Enc(sk, 512) ct 3 = Enc(sk, 273) (legacy-friendly) range queries on encrypted data
11 Order-Revealing Encryption [BLRSZZ 15] given any two ciphertexts ct 1 = Enc(sk, x) ct 2 = Enc(sk, y) there is a public function for performing comparisons x > y OPE [BCLO 09]: comparison function is numeric comparison on ciphertexts
12 Space Efficiency The Landscape of ORE OPE [BCLO 09] Practical ORE [CLWW 16] This work schemes with precise leakage profile [CLWW 16] Concurrent work [CLOZ 16, JP 16] constructions based on mmaps [BLRSZZ 15] or obfuscation [GGGJKLSSZ 14] not drawn to scale Security
13 Inference Attacks [NKW 15, DDC 16, GSBNR 16] ID Name Age Diagnosis wpjoos 2wzXW8 SqX9l9 KqLUXE XdXdg8 y9gfps gwile3 MJ23b7 P6vKhW EgN0Jn S0pRJe ataejk orjre6 KQWy9U tpwf3m 4FBEO0 encrypted database + public information frequency and statistical analysis ID Name Age Diagnosis??? Alice ??? Bob ??? Charlie ?????? plaintext recovery
14 Online vs. Offline Security adversary sees encrypted database + queries and can interact with the database online attacks (e.g., active corruption) offline attacks (e.g., passive snapshots) adversary only sees contents of encrypted database typical database breach: contents of database are stolen and dumped onto the web
15 Inference Attacks [NKW 15, DDC 16, GSBNR 16] PPE schemes always reveal certain properties (e.g., equality, order) on ciphertexts and thus, are vulnerable to offline inference attacks Can we fully defend against offline inference attacks while remaining legacy-friendly?
16 This Work Can we fully defend against offline inference attacks while remaining legacy-friendly? Trivial solution: encrypt the entire database, and have client provide decryption key at query time Desiderata: an ORE scheme that enables: perfect offline security limited leakage in the online setting But no online security!
17 ORE with Additional Structure Focus of this work: performing range queries on encrypted data Key primitive: order-revealing encryption scheme where ciphertexts have a decomposable structure Enc 101 Enc L 101 Enc R 100 ct L ct R ct L ct R ciphertexts naturally split into two components greater than
18 ORE with Additional Structure Enc L 101 Enc R 100 ct L ct R right ciphertexts provide semantic security! comparison can be performed between left ciphertext and right ciphertext robustness against offline inference attacks!
19 Encrypted Range Queries store right ciphertexts in sorted order ID Name Age Diagnosis 0 Alice Bob Charlie Inigo 45 4 Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) build encrypted index ID Enc(0) Enc(2) Enc(3) Enc(1) record IDs encrypted under independent key Name ID Enc R (Alice) Enc(0) Age ID Enc R (Bob) Enc(1) Enc Enc R (Charlie) R (31) Enc(0) Diagnosis Enc(2) ID Enc Enc R (Inigo) R (41) Enc(2) Enc Enc(3) Enc R (45) R (2) Enc(2) Enc(3) Enc Enc R (47) R (2) Enc(0) Enc(1) Enc R (3) Enc(1) Enc R (4) Enc(3) separate index for each searchable column, and using independent ORE keys
20 Encrypted Range Queries Encrypted database: ID Name Age Diagnosis 0 Alice Bob Charlie Inigo 45 4 columns (other than ID) are encrypted using a semanticallysecure encryption scheme clients hold (secret) keys needed to decrypt and query database Name ID Enc R (Alice) Enc(0) Age ID Enc R (Bob) Enc(1) Enc Enc R (Charlie) R (31) Enc(0) Diagnosis Enc(2) ID Enc Enc R (Inigo) R (41) Enc(2) Enc Enc(3) Enc R (45) R (2) Enc(2) Enc(3) Enc Enc R (47) R (2) Enc(0) Enc(1) Enc R (3) Enc(1) Enc R (4) Enc(3) encrypted search indices
21 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45)
22 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45) Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) ID Enc(0) Enc(2) Enc(3) Enc(1)
23 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45) Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) ID Enc(0) Enc(2) Enc(3) Enc(1) use binary search to determine endpoints (comparison via ORE)
24 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45) Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) ID Enc(0) Enc(2) Enc(3) Enc(1) use binary search to determine endpoints (comparison via ORE)
25 Encrypted Range Queries Query for all records where 40 age 45: Age ID Enc L (40) Enc L (45) Enc R (31) Enc R (41) Enc R (45) Enc R (47) Enc(0) Enc(2) Enc(3) Enc(1) return encrypted indices that match query use binary search to determine endpoints (comparison via ORE)
26 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) client decrypts indices to obtain set of matching records
27 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) Records 2, 3 Enc(r 2 ) Enc(r 3 )
28 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) Records 2, 3 Enc(r 2 ) Enc(r 3 ) client decrypts to obtain records
29 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) Records 2, 3 Enc(r 2 ) Enc(r 3 ) some online leakage: access pattern + ORE leakage
30 Encrypted Range Queries Encrypted database: ID Name Age Diagnosis 0 Alice Bob Charlie Inigo 45 4 encrypted database is semantically secure! Perfect offline security Name ID Enc R (Alice) Enc(0) Age ID Enc R (Bob) Enc(1) Enc Enc R (Charlie) R (31) Enc(0) Diagnosis Enc(2) ID Enc Enc R (Inigo) R (41) Enc(2) Enc Enc(3) Enc R (45) R (2) Enc(2) Enc(3) Enc Enc R (47) R (2) Enc(0) Enc(1) Enc R (3) Enc(1) Enc R (4) Enc(3) encrypted search indices
31 Space Efficiency The Landscape of ORE OPE [BCLO 09] Practical ORE [CLWW 16] broken by inference attacks [NKW 15, DDC 16, GSBNR 16] This work can provide perfect offline security Concurrent work [CLOZ 16, JP 16] constructions based on mmaps [BLRSZZ 15] or obfuscation [GGGJKLSSZ 14] Not drawn to scale Security
32 Our New ORE Scheme small-domain ORE with best-possible security domain extension technique inspired by CLWW 16 large-domain ORE with some leakage
33 Small-Domain ORE with Best-Possible Security Suppose plaintext space is small: 1,2,, N 1 k 1 associate a key with each value 2 3 k 2 k 3 k 1,, k N is the secret key (can be derived from a PRF) N k N
34 Small-Domain ORE with Best-Possible Security Encrypting a value i Position i Invariant: all positions i have value 1 while all positions > i have value 0
35 Small-Domain ORE with Best-Possible Security Encrypting a value i k 1 k 2 k i k i+1 k N encrypt each slot with key for that slot To allow comparisons, also give out key for slot i k i k 1 k 2 k i k i+1 k N
36 Small-Domain ORE with Best-Possible Security Given two ciphertexts k i k 1 k i k i+1 k j k N 0 Decrypt to learn ordering k j k 1 k i k j k j+1 k N 0
37 Small-Domain ORE with Best-Possible Security Given two ciphertexts k i k 1 k i k i+1 k j k N But this reveals i 0 k j k 1 k i k j k j+1 k N 0
38 Small-Domain ORE with Best-Possible Security Solution: apply random permutation π (part of the secret key) to the slots k i k 1 k 2 k i k i+1 k N
39 Small-Domain ORE with Best-Possible Security Solution: apply random permutation π (part of the secret key) to the slots k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) includes index π(i) semantically secure (right ciphertext) Achieves best-possible security, but ciphertexts are big
40 Domain Extension for ORE Key idea: decompose message into smaller blocks and apply small-domain ORE to each block split into two 4-bit chunks b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N encrypt each chunk using an ORE instance with a secret key derived from the prefix
41 Domain Extension for ORE Key idea: decompose message into smaller blocks and apply small-domain ORE to each block split into two 4-bit chunks b 1 b 2 b 3 b 4 Keys b 5 derived b 6 bfrom 7 b 8 Keys derived from empty prefix k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) prefix b 1 b 2 b 3 b 4 k π i k π k π 2 k π j k π j+1 k π N encrypt each chunk using an ORE instance with a secret key derived from the prefix
42 Domain Extension for ORE b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N comparison proceeds block-by-block k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N Overall leakage: first block that differs
43 Domain Extension for ORE Same decomposition into left and right ciphertexts: k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N left ciphertext right ciphertext Right ciphertexts provide semantic security! Note: optimizations are possible if we apply this technique in a non-black-box way to the smalldomain ORE. See paper for details.
44 Space Efficiency The Landscape of ORE OPE [BCLO 09] Leakage: position of first differing bit Leakage: position of first differing block Practical ORE [CLWW 16] This work Concurrent work [CLOZ 16, JP 16] constructions based on mmaps [BLRSZZ 15] or obfuscation [GGGJKLSSZ 14] not drawn to scale Security
45 Performance Evaluation Scheme Encrypt (μs) Compare (μs) ct (bytes) OPE [BCLO 09] Practical ORE [CLWW 16] This work (4-bit blocks) This work (8-bit blocks) This work (12-bit blocks) Benchmarks taken for C implementation of different schemes (with AES-NI). Measurements for encrypting 32-bit integers.
46 Performance Evaluation Scheme Encrypt (μs) Compare (μs) ct (bytes) OPE [BCLO 09] Practical ORE [CLWW 16] This work (4-bit blocks) This work (8-bit blocks) This work (12-bit blocks) Encrypting byte-size blocks is 65x faster than OPE, but ciphertexts are 30x longer. Security is substantially better.
47 Conclusions Inference attacks render most conventional PPE-based constructions insecure However, ORE is still a useful building block for encrypted databases Introduced new paradigm for constructing ORE that enables range queries in a way that is mostly legacy-compatible and provides offline semantic security New ORE construction that is concretely efficient with strong security In paper: new impossibility results for security achievable using OPE
48 Open Problems What kind of inference attacks on possible in the online setting? Indices encrypted separately, so multi-column correlations harder to infer More limited leakage profile (between left and right ciphertexts) Can we construct small-domain OREs (with best-possible security) and sublinear (in the size of the domain) ciphertext size from PRFs? Can we construct left/right ORE (from PRFs) where both left and right ciphertexts are semantically secure?
49 Questions? Paper: Website: Code:
Order-Revealing Encryption:
Order-Revealing Encryption: New Constructions, Applications and Lower Bounds Kevin Lewi and David J. Wu Stanford University Searching on Encrypted Data Searching on Encrypted Data Searching on Encrypted
More informationOrder-Revealing Encryption:
Order-Revealing Encryption: How to Search on Encrypted Data Kevin Lewi and David J. Wu Stanford University Searching on Encrypted Data The information accessed from potentially exposed accounts "may have
More informationOrder-Revealing Encryption:
Order-Revealing Encryption: How to Search on Encrypted Data David Wu Stanford University based on joint works with Nathan Chenette, Kevin Lewi, and Stephen A. Weis Searching on Encrypted Data The information
More informationSecurity and Privacy through Modern Cryptography
Security and Privacy through Modern Cryptography David Wu Stanford University Cryptography in the 1970s How can two users who have never met before communicate securely with each other? m secrecy integrity
More informationEncrypted databases. Tom Ristenpart CS 6431
Encrypted databases Tom Ristenpart CS 6431 Outsourced storage settings Client wants to store data up on Dropbox High availability, synch across devices Server includes much value-add functionality Keyword
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 4 (and 5 and maybe 6) secret-key primitives symmetric-key encryption security notions and types of
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationLectures 6+7: Zero-Leakage Solutions
Lectures 6+7: Zero-Leakage Solutions Contents 1 Overview 1 2 Oblivious RAM 1 3 Oblivious RAM via FHE 2 4 Oblivious RAM via Symmetric Encryption 4 4.1 Setup........................................ 5 4.2
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationSecurity of Stateful Order-Preserving Encryption
Security of Stateful Order-Preserving Encryption Kee Sung Kim, Minkyu Kim, Dongsoo Lee, JeHong Park, Woo-Hwan Kim National Security Research Institute(NSR) Nov. 29, ICISC 2017 Introduction of OPE Introduction
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationCryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationCRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext
CRYPTOLOGY CRYPTOGRAPHY KEY MANAGEMENT CRYPTANALYSIS Cryptanalytic Brute-Force Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext 58 Types of Cryptographic Private key (Symmetric) Public
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCryptography: Symmetric Encryption [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption [continued] Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann,
More informationLecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes
What is Encryption Parties involved: Alice: The Sender Bob: The Receiver Eve: The Eavesdropper Aim of Encryption Alice wants to send a message to Bob The message should remain hidden from Eve What distinguishes
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationCryptography 2017 Lecture 3
Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, 2017 1 / 1 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad
More informationNetwork Security Technology Project
Network Security Technology Project Shanghai Jiao Tong University Presented by Wei Zhang zhang-wei@sjtu.edu.cn!1 Part I Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationAnalysing Access Pattern and Volume Leakage from Range Queries on Encrypted Data. Information Security Group
Analysing Access Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson @kennyog based on joint work with Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud Information Security Group
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationAnonymity. Assumption: If we know IP address, we know identity
03--4 Anonymity Some degree of anonymity from using pseudonyms However, anonymity is always limited by address TCP will reveal your address address together with ISP cooperation Anonymity is broken We
More informationSQL on Structurally-Encrypted Databases
SQL on Structurally-Encrypted Databases Seny Kamara Tarik Moataz Q: What is a relational database? 2 Relational DB Table or relation Column or attribute Att 1 Att 2 Att 3 Att 4 Att5 Att 6 Att 7 DB = Row
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions
ENEE 457: Computer Systems Security 09/12/16 Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions Charalampos (Babis) Papamanthou Department of Electrical and Computer
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 6 January 25, 2012 CPSC 467b, Lecture 6 1/46 Byte padding Chaining modes Stream ciphers Symmetric cryptosystem families Stream ciphers
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Encryption Concepts, Classical Crypto, and Binary Operations January 30, 2018 Overview Today: Cryptography concepts and classical crypto Textbook sections 3.1,
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationEE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions
EE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions Assigned: Tuesday, January 17, 2017, Due: Sunday, January 28, 2017 Instructor: Tamara Bonaci Department of Electrical Engineering
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationDelegated Access for Hadoop Clusters in the Cloud
Delegated Access for Hadoop Clusters in the Cloud David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain Email: dnunez@lcc.uma.es
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationLectures 4+5: The (In)Security of Encrypted Search
Lectures 4+5: The (In)Security of Encrypted Search Contents 1 Overview 1 2 Data Structures 2 3 Syntax 3 4 Security 4 4.1 Formalizing Leaky Primitives.......................... 5 1 Overview In the first
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationPrivate Database Queries Using Somewhat Homomorphic Encryption. Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu
Private Database Queries Using Somewhat Homomorphic Encryption Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu ACNS 2013 Fully Private Conjunctive Database Queries user SELECT * FROM db WHERE
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationModern Cryptography Activity 1: Caesar Ciphers
Activity 1: Caesar Ciphers Preliminaries: The Caesar cipher is one of the oldest codes in existence. It is an example of a substitution cipher, where each letter in the alphabet is replaced by another
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationEncrypted Data Deduplication in Cloud Storage
Encrypted Data Deduplication in Cloud Storage Chun- I Fan, Shi- Yuan Huang, Wen- Che Hsu Department of Computer Science and Engineering Na>onal Sun Yat- sen University Kaohsiung, Taiwan AsiaJCIS 2015 Outline
More informationDistributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011
Distributed Key Management and Cryptographic Agility Tolga Acar 24 Feb. 2011 1 Overview Distributed Key Lifecycle Problem statement and status quo Distributed Key Manager Typical application scenario and
More informationInformation Security
SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationAmorphic Encryption. Egger Mielberg
Amorphic Encryption Egger Mielberg egger.mielberg@gmail.com 27.01.2019 Abstract. As a symmetric as an asymmetric scheme requires a key (session or private) to be hidden. In this case, an attacker gets
More informationA different kind of Crypto
A different kind of Crypto Parker Schmitt November 16, 2014 1 Contents 1 Introduction 3 2 A brief discussion of modern crypto 3 2.1 How modern (non-payload) crypto works............. 4 2.2 Known Plaintext
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationSecurity Analysis of PSLP: Privacy-Preserving Single-Layer Perceptron Learning for e-healthcare
Security Analysis of PSLP: Privacy-Preserving Single-Layer Perceptron Learning for e-healthcare Jingjing Wang 1, Xiaoyu Zhang 1, Jingjing Guo 1, and Jianfeng Wang 1 1 State Key Laboratory of Integrated
More informationUnit 8 Review. Secure your network! CS144, Stanford University
Unit 8 Review Secure your network! 1 Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite
More informationBUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX
BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS DO YOU TRUST YOUR CLOUD SERVICE
More information